bash 以受限用户身份运行 monit 并使其监视需要 root 权限的进程
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6542830/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Running monit as a restricted user and making it watch a process that needs root privileges
提问by FullOfCaffeine
I have a specific script written in Ruby that needs root privileges. Most of the other processes don't need that and so were easy to setup in Monit. Not this one.
我有一个用 Ruby 编写的需要 root 权限的特定脚本。大多数其他进程不需要它,因此很容易在 Monit 中设置。不是这个。
The server needs to listen at 386, and this port is only available for root. I won't get into the details of why, because 1) I'm not a low-level kind of guy, 2) It worked fine so far when using sudo.
服务器需要监听386,这个端口只对root可用。我不会详细说明原因,因为 1) 我不是一个低级的人,2) 到目前为止,在使用 sudo 时它运行良好。
The monit configuration file is simple and looks like this:
monit 配置文件很简单,如下所示:
set logfile syslog facility LOG_daemon # Default facility is LOG_USER
set mailserver smtp.sendgrid.net
username "blah", password "blah"
with timeout 20 seconds
set alert [email protected]
set logfile /home/deploy/monit.log
check process ldapserver
with pidfile /var/pids/ldap_server.pid
start program = "/usr/local/bin/ruby /var/lib/ldap_server.rb"
stop program = "/bin/sh"
Note: I've put /bin/sh in the stop program because there's not a stop program for this process.
注意:我已将 /bin/sh 放在停止程序中,因为此进程没有停止程序。
If I put like this:
如果我这样说:
start program = "/usr/local/bin/ruby /var/lib/ldap_server.rb"
It fails to start. No hints.
它无法启动。没有提示。
start program = "/usr/bin/sudo -u deploy /usr/local/bin/ruby /var/lib/ldap_server.rb
Fails as well. No output.
同样失败。没有输出。
start program = "/bin/su deploy -c '/usr/local/bin/ruby /var/lib/ldap_server.rb'
Fails to start.
无法启动。
I also tried redirecting the output using > ~/out.log 2 > &1to capture stderr and stdout but it doesn't seem to work.
我还尝试使用> ~/out.log 2 > &1捕获 stderr 和 stdout重定向输出,但它似乎不起作用。
Now, I'm starting monit under the deploy user, which is restricted. So, I'd need to somehow run the ldap server as root, but turns out it's quite hard to do.
现在,我在部署用户下启动 monit,这是受限制的。所以,我需要以某种方式以 root 身份运行 ldap 服务器,但事实证明这很难做到。
Could someone enlighten me ?
有人可以启发我吗?
Cheers,
干杯,
M>
男>
回答by Shane Mc Cormack
Using sudoor suto run the script as the 'deploy' user won't help (as monit is already running as that user anyway, and it needs to run as root).
使用sudo或su以“部署”用户身份运行脚本将无济于事(因为无论如何 monit 已经以该用户身份运行,并且它需要以 root 身份运行)。
Also, sudo will by default prompt for a password, which monit won't be able to provide.
此外,sudo 默认会提示输入密码,而 monit 无法提供。
One way to solve this would be to create a file /usr/bin/startLDAPServer.shand make it executable (chmod a+x /usr/bin/startLDAPServer.sh) with the following contents:
解决此问题的一种方法是创建一个文件/usr/bin/startLDAPServer.sh并使其chmod a+x /usr/bin/startLDAPServer.sh具有以下内容可执行 ( ):
#!/bin/sh
/usr/local/bin/ruby /var/lib/ldap_server.rb
and then add this line to your /etc/sudoersfile:
然后将此行添加到您的/etc/sudoers文件中:
deploy ALL =NOPASSWD:/usr/bin/startLDAPServer.sh
You can then use:
然后您可以使用:
start program = "/usr/bin/sudo /usr/bin/startLDAPServer.sh"
in monit.
在监控中。
